Domain 5: Governance, Risk, and Compliance (14%) Flashcards
5.3 Personnel
Least Privilege
Users are only given the lowest level of access needed to perform their
job functions
§ Does everyone in the company need to know employee salary data?
5.3 Personnel
Separation of duties
Requires more than one person to conduct a sensitive task or operation
§ Separation of duties can be implemented by a single user with a user and
admin account
5.3 Personnel
Job rotation
Occurs when users are cycled through various jobs to learn the overall
operations better, reduce their boredom, enhance their skill level, and
most importantly, increase our security
§ Job rotation helps the employee become more well-rounded and learn
new skills
§ Job rotation also helps the organization identify theft, fraud, and abuse of
position
5.4 Risk management Strategies
risk avoidance
A strategy that requires stopping the activity that has risk or
choosing a less risky alternative
5.4 Risk management Strategies
Risk Transfer
A strategy that passes the risk to a third party
5.4 Risk management Strategies
Risk Mitigation
A strategy that seeks to minimize the risk to an acceptable level
5.4 Risk management Strategies
Risk Acceptance
A strategy that seeks to accept the current level of risk and the
costs associated with it if the risk were realized
5.4 Risk Analysis
Residual Risk
The risk remaining after trying to avoid, transfer, or mitigate the
risk
5.4 Risk Analysis
Qualitative risk assessment type
Qualitative analysis uses intuition, experience, and other methods to assign a
relative value to risk
o Experience is critical in qualitative analysis
5.4 Risk Analysis
Quantitative Risk assessment type
Quantitative analysis uses numerical and monetary values to calculate risk
o Quantitative analysis can calculate a direct cost for each risk
o Magnitude of Impact
ALE (annual Loss Expectancy) = SLE (single loss expectancy = AV x EF) x ARO (Annual Rate of Occurence)
Users are only given the lowest level of access needed to perform their
job functions
§ Does everyone in the company need to know employee salary data?
5.3 Personnel
Least Privilege
Requires more than one person to conduct a sensitive task or operation
§ Separation of duties can be implemented by a single user with a user and
admin account
5.3 Personnel
Separation of duties
Occurs when users are cycled through various jobs to learn the overall
operations better, reduce their boredom, enhance their skill level, and
most importantly, increase our security
§ Job rotation helps the employee become more well-rounded and learn
new skills
§ Job rotation also helps the organization identify theft, fraud, and abuse of
position
5.3 Personnel
Job rotation
A strategy that requires stopping the activity that has risk or
choosing a less risky alternative
5.4 Risk management Strategies
risk avoidance
A strategy that passes the risk to a third party
5.4 Risk management Strategies
Risk Transfer
A strategy that seeks to minimize the risk to an acceptable level
5.4 Risk management Strategies
Risk Mitigation
A strategy that seeks to accept the current level of risk and the
costs associated with it if the risk were realized
5.4 Risk management Strategies
Risk Acceptance
The risk remaining after trying to avoid, transfer, or mitigate the
risk
5.4 Risk Analysis
Residual Risk
Qualitative analysis uses intuition, experience, and other methods to assign a
relative value to risk
o Experience is critical in qualitative analysis
5.4 Risk Analysis
Qualitative risk assessment type
Quantitative analysis uses numerical and monetary values to calculate risk
o Quantitative analysis can calculate a direct cost for each risk
o Magnitude of Impact
ALE (annual Loss Expectancy) = SLE (single loss expectancy = AV x EF) x ARO (Annual Rate of Occurence)
5.4 Risk Analysis
Quantitative Risk assessment type
The individual elements, objects, or parts of a system that would cause
the whole system to fail if they were to fail
5.4 Business impact analysis
Single point of failure
Personal data cannot be collected processed or retained without the
individual’s informed consent
§ also provides the right for a user to withdraw consent, to inspect,
amend, or erase data held about them
§ requires data breach notification within 72 hours
5.2 Regulations, Standards, and legislation
General Data Protection Regulation (GDPR)
Defines the rules that restrict how a computer, network, or other systems
may be used
5.3 Personnel
Acceptable use policy
Defines the structured way of changing the state of a computer system,
network, or IT procedure
5.3 Organizational Polices
Change management
Different users are trained to perform the tasks of the same position to
help prevent and identify fraud that could occur if only one employee
had the job
5.3 Personnel
Job Rotation
Dictates what type of things need to be done when an employee is hired,
fired, or quits
§ Terminated employees are often not cooperative
5.3 Personnel
onboarding and offboarding
Agreement between two parties that defines what data is considered
confidential and cannot be shared outside of the relationship
§are a binding contract
5.3 Third-party risk management
Non-Disclosure Agreement (NDA)
A non-binding agreement between two or more organizations to detail
an intended common line of action
can be between multiple organizations
5.3 Third-party risk management
Memorandum of understanding(MOU)
An agreement concerned with the ability to support and respond to
problems within a given timeframe and continuing to provide the agreed
upon level of service to the user
§may promise 99.999% uptime
5.3 Third-party risk management
Service-level Agreement(SLA)
Conducted between two business partners that establishes the
conditions of their relationship
§ can also include security requirements
5.3 Third-party risk management
Business Partnership Agreement(BPA)
